Banner1.jpg

APD/GBA (Belgium) - 162/2024

From GDPRhub
APD/GBA - 162/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 17 GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started: 05.02.2024
Decided: 12.12.2024
Published: 12.12.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 162/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD/GBA (in FR)
Initial Contributor: claratab

The DPA issued a warning to a media company after it failed to adequately answer to and comply with an erasure request for more than a year, thus violating Article 12 GDPR and Article 17 GDPR

English Summary

Facts

The controller published a press article, which contained the data subject’s personal data, on their website.

On 13 July 2021, the data subject sent an erasure request to the controller. The request referred to the article concerned via a web link. The data subject received a confirmation of receipt on 4 September 2022, more than a year later. Then, no further response from the controller was received by the data subject. The data subject reiterated their request three times in January 2024 and made a mediation request to the DPA on 5 February 2024.

The controller argued that the request was already granted and that the link no longer led to the article. The DPA transmitted the answer to the data subject in April 2024 and closed the mediation process on 7 May 2024.

The data subject filed a complaint to the DPA on 23 May 2024 as the article remained available on the controller’s web site via another link.

During the procedure, the controller erased the article of its website and apologised for the inconvenience, pointing out a technical mistake. The data subject declared themselves satisfied with the controller’s declaration.

Holding

The DPA considered that the controller failed to inform and facilitate the data subject’s erasure request in accordance with Article 12(2) GDPR and Article 12(3) GDPR in relation to Article 17 GDPR. The DPA noticed that the controller should have erased the personal data following the erasure request and informed the data subject of any measure taken.

Furthermore, the DPA pointed out that the controller may have breached Article 5 GDPR and Article 24 GDPR, stressing its obligation to implement technical and organizational measures to ensure compliance with the GDPR. The DPA took into consideration the time taken by the controller to answer the erasure request and the failure of the controller in deleting the article concerned. According to the DPA, those two factors highlighted the possibility of technical and organizational deficiencies in right’s requests management.

The DPA warned the controller and stressed that the aim of the warning is to prevent such a breach from happening again.

Comment

The decision emphasizes the need for controllers to build strong technical and organisational measures to manage rights requests from data subjects and assure the efficiency of their responses. The DPA took into consideration the risk of repetition when issuing a warning to the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/7

Litigation Chamber

Decision 162/2024 of 12 December 2024

File number: DOS-2024-00642

Subject: Complaint regarding the request for deletion of a press article available online

The Litigation Chamber of the Data Protection Authority, consisting of Mr.

Hielke H IJMANS, President, sitting alone;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“LCA”;

Having regard to the Law of 30 July 2018 on the protection of individuals with regard to the

processing of personal data, hereinafter “LTD”;

Having regard to the Rules of Procedure as approved by the Chamber of Representatives on

1 December 2018 and published in the Belgian Official Gazette on 15 January 2019;

Having regard to the documents in the file;

Has taken the following decision concerning:

The complainant: X, hereinafter “the complainant”

The defendant: Y, hereinafter “the defendant”

1
The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (LCA) came into force on
01/06/2024.
In accordance with Article 56 of the law of 25 December 2023, it only applies to complaints, mediation files,
requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.
Cases initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA as not amended by the Law of 25 December 2023 and the internal regulations as they existed before that date. Decision 162/2024 — 2/7

I. Facts and procedure

1. On 5 February 2024, the complainant filed a request for mediation with the Data Protection Authority (DPA).

2. The complainant explained that he had been the subject of a press article by the defendant,

which was available on the latter's website. The complainant wanted this

article to be deleted, or at least for his personal data to no longer appear in it.

3. On 13 July 2021, the complainant requested that the defendant delete his surname, first name and

any other personal data concerning him from the article

accessible via the following link: “[…]”. He further requested that the defendant notify

all recipients to whom it had initially communicated the data in question of this

deletion of data, in accordance with Article 19 of the GDPR.

4. On 4 September 2022, the complainant received an acknowledgment of

receipt from the defendant, confirming that his request had been processed. The subject of this email is titled

as follows "[…] data erasure request […]". The exchanges do not allow us to deduce whether this

email was sent in response to the complainant's request of 13 July 2021.

5. On 17 January 2024, the complainant reiterated his request for erasure in the same terms
contained in his email of 13 July 2021. He sent reminders on 24 and 30 January 2024.

6. On 28 February 2024, the Frontline Service (hereinafter "FLS") of the APD contacted

the defendant regarding the complainant's request for erasure.

7. On 27 March 2024, given the lack of response from the defendant, the FLS sent

a registered letter as a reminder. The following day, the defendant replied that it had granted the complainant’s request.

8. On 2 April 2024, the defendant’s response was sent to the complainant, who acknowledged receipt of it the same day.

9. On 8 April 2024, the complainant informed the SPL that the disputed press article was still online.

On 15 April 2024, he reported the same problem to the SPL.

10. On 30 April 2024, the SPL questioned the defendant in this regard. On the same day, the
defendant replied that the link identified (see point 3) no longer referred to the disputed article.

11. On 7 May 2024, noting that the previously identified link did not refer to the disputed

article concerning the complainant, the SPL declared the mediation successful. This information was
communicated to both parties. On the same day, the complainant states that while the link has

indeed been modified, the disputed article is still available online, and

still contains his personal data. He further specifies that the article is the first

Decision 162/2024 — 3/7

result that appears when he searches for his first and last name via the

Google search engine.

12. On 23 May 2024, the complainant transforms his mediation into a complaint.

13. On 28 May 2024, the SPL declares the complaint admissible on the basis of Articles 58 and 60 of the

LCA, and forwards it to the Litigation Chamber in accordance with Article 62, § 1 of the

LCA.

14. On 5 September 2024, in accordance with the information obligation provided for in Article 95, § 2

of the LCA, the Litigation Chamber informed the parties of the existence of this file

as well as the content of this complaint. It specified that the defendant had the possibility

to consult and copy the file at the secretariat of the Litigation Chamber. The

defendant was also informed that it had a period of 14 days to submit

its observations.

15. Following multiple exchanges that took place between the complainant and the defendant

following receipt of the letter referred to in the paragraph above, the defendant

removed the disputed article from its website and also apologized for the technical and

human inconveniences. The complainant declared himself satisfied with this. The defendant clarified, in an email dated

17 September 2024, that the fact that the disputed publication could be found via a new

URL address could only be the result of a technical error.

II. Grounds

16. In this case, it appears that the complainant exercised his right to erasure,

in accordance with Article 17 of the GDPR, for the first time on 13 July 2021. He

again requested the erasure of the same article on 17 January 2024. On 28 March

2024, the defendant responded that it had granted the complainant's request, without this

being entirely the case, it being understood that the article whose erasure the complainant requested

remained accessible via a new URL address. On 17 September 2024, the
defendant informed the complainant that it had properly deleted the press article in

question. The defendant claimed that this situation was caused by technical

errors.

17. The Litigation Chamber first recalls that under Article 12.1 of the
GDPR, it is up to the data controller to take “appropriate measures to

provide any information referred to in Articles 13 and 14 and to

make any communication under Articles 15 to 22 and Article 34 concerning the

processing to the data subject in a concise, transparent, comprehensible and

easily accessible manner, in clear and plain language [...].” Decision 162/2024 — 4/7

18. In addition, it is the responsibility of the data controller to facilitate the exercise of the rights of the

data subject (Article 12.2 of the GDPR) and to provide him/her with information on the measures

taken following a request made under Articles 15 to 22 of the GDPR,

as soon as possible and in any event within one month of receipt

of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by

two months, taking into account the complexity and number of requests. In such a case, the

data controller shall inform the data subject of this extension and of the

reasons for the postponement within one month of receipt of the request.

19. Article 17.1 of the GDPR provides for six grounds that grant the individual the right to request

the erasure of personal data held by the controller concerning him or her, and oblige the controller to comply with the request, which are as follows:

"(a) the personal data are no longer necessary in relation to the

purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based, in accordance with Article 6(1)(a) or Article 9(2)(a)

and there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or

the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data must be erased for compliance with a legal

obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer

of information society services referred to in Article 8(1).

20. The third paragraph of Article 17 of the GDPR provides for five exceptions to the

application of its paragraphs 1 and 2. None of these exceptions has been invoked by the respondent.

2Article 17.3 of the GDPR: "3. Paragraphs 1 and 2 shall not apply to the extent that such processing is necessary:
(a) for exercising the right to freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health, in accordance with Article 9(2)(h) and (i) and Article 9(3);
(d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), to the extent that the right referred to in paragraph 1 is susceptible Decision 162/2024 — 5/7

21. The Litigation Chamber further specifies that, on the basis of the combined reading of
Articles 12 and 17 of the GDPR, it should be understood that the controller must not only

erase the personal data it holds about the data subject

as soon as possible, and at least within one month from the day on which the data subject

made the request (with some exceptions), but must also inform the data subject of the

measures taken to this effect.

22. In the present case, the Litigation Chamber finds that the defendant failed

to comply with Articles 12.3 and 17 of the GDPR since the request for erasure was

first made on 13 January 2021, and reiterated on 17, 24 and 30 January 2024. The SPL
brought this request for erasure to the defendant's attention on 28

February 2024. On 28 March 2024, the defendant responded to the SPL's request after a reminder,

and confirmed that it had deleted the press article as requested by the complainant, without

however specifying whether it had informed the complainant or not. Furthermore, concerning this, it is clear from the

facts that the article was still available online, but at a separate URL address. On 17

September 2024, the defendant will finally confirm to the complainant that it

had properly deleted the press article from its website, with the complainant declaring

himself satisfied on 26 September 2024. The Litigation Chamber adds that the

defendant may have failed to comply with Article 12.2 of the GDPR, given the time and

discussions taken to understand that the press article that the complainant was requesting

to be deleted was still accessible via a URL address other than the initial

URL address, which the complainant had put forward to the SPL on 17 May 2024, and which was part of the

case documents sent to the RT on 5 September 2024.

23. Secondly and finally, the Litigation Chamber recalls that under Articles 5.2 and

24 of the GDPR, data controllers are required to implement all

technical and organisational measures appropriate with a view to compliance with the GDPR, and must

be able to demonstrate this (principle of responsibility or accountability).

24. The defendant must establish robust technical and organizational measures in order to

appropriately handle the rights of the persons concerned, all the more so in view of

the size of the defendant's presence in the Belgian media sector and the

risks arising from this.

25. In this case, the fact that the defendant took so long to respond to the

complainant's request for deletion, combined with the fact that after having believed that it had deleted the disputed article from its

to make it impossible or seriously jeopardize the achievement of the objectives of said processing; or

e) the establishment, exercise or defense of legal claims. »
3EDPB,Guidelines 4/2019 on Article 25 – Data protection by design and by default (V2) of 20 October 2020, point 14: “In this regard, the measures and safeguards should be designed in a robust manner and the controller should be able to implement additional measures to adapt to a possible increase in risk.” accessible via: https://www.edpb.europa.eu/system/files/2021-
04/edpb guidelines 201904 dataprotection by design and by default v2.0 en.pdf. Decision 162/2024 — 7/7

contain the information listed in Article 1034ter of the Judicial Code. The interlocutory application must be filed with the registry of the Market Court in accordance with Article

1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice

(Article 32ter of the Judicial Code).

(get). Hielke HIJMANS

President of the Litigation Chamber

4The application must contain, under penalty of nullity:
1° the indication of the day, month and year;

2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualifications and national register number or
company number;
3° the surname, first name, address and, where applicable, the qualification of the person to be summoned;
4° the subject and summary statement of the grounds of the application;
5° the indication of the judge who is seized of the application;

5 6° the signature of the applicant or his/her lawyer. The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.